Regarding security of Disroot mail account.

Dear Disroot community,

I have enabled 2-step verification in my Disroot mail account. Whenever i login to my account on web version it asks for 2-step code, but today when i tried to login from Thunderbird mail client it logged me in without asking for 2-step verification code.

Is it a bug or it was designed to work this way ?


As stated in few places (should put it in FAQ) generally 2FA is not enabled for IMAP/POP3 because there is no support for it. 2FA in webmail was enabled becasue of many requests though I personally think its not protecting against imap attacks for example. At this point there is no easy way to provide two factor authentication on imap/pop2 level but it’s not impossible. Hopefully in the future we will think of a proper way to implement it.
At this point we are running anti-brutte force protection which blocks IP addresses when user password is misstyped too many times. We are going to roll in similar feature that will block entire user account in a matter of two/three weeks. That prevents one form of attack (when someone tries to simply vrutte force) but of course does not prevent someone who knows the password from logging in.

TIL IMAP/POP3 bypasses 2FA for almost all email providers.

Is there any way to disable IMAP support for my Disroot email?

No. The webmail is in fact just an IMAP client. The only way would be to disable access to IMAP port for everyone but the ip of webmail.

Maybe there is a way to disable it on per user basis, with exeption of webmail but I didnt hear about it. It is something we are thining about looking into (global 2FA for all services) but at the moment we want to focus on other things such us mailbox encryption, xmpp webclient improvements, hubzilla public launch.

Cant give any ETA at this point, but probbaly we will put it on the roadmap for next year.

1 Like